Which? highlights retailers breaching data protection and privacy laws with their e-receipts

Share This Post

Research from consumer rights guardian Which? has highlighted the data protection dangers of e-receipts and that some retailers are in breach of data protection and privacy rules when it comes to using them to direct market.

Which? sent mystery shoppers to various high street brands and asked to receive e-receipts but with no marketing. However, whilst some just sent the electronic receipts as receipts a number also included with the receipts, marketing information.

The rules on electronic marketing are clear when it comes to opting out of marketing. If you don’t want email marketing messages, in any format, then you have a right to say no and under no circumstances can marketing materials still be sent, this includes for your customers and includes all marketing messages. So, for those sending e-receipts which include banners or other marketing messages, they are in breach of the Data Protection Act 2018 and the Privacy & Electronic Communications Regulations 2003.

As Which? highlights:

An ICO spokesperson said: ‘Retailers must understand it’s not enough to assume that because a customer has given their email address to receive an e-receipt that they are happy for it to be used for other purposes.

‘Being transparent about the collection and use of data and giving customers informed choices over how their data will be used is key to ensuring compliance with the law and building trust. ‘

Anyone who has received an e-receipt email that includes direct marketing when they have specifically objected can complain to the organisation that sent it in the first instance, and if they remain unsatisfied they can complain to the ICO.’

You can read more about the research on Which? here. It’s a larger piece about the use of e-receipts but makes interesting reading in terms of their findings about how e-receipts are increasingly being used.

What does this mean for your business?

If you use e-receipts or agree to send any messaging to someone who has said they don’t want marketing, then you are on dodgy ground if you send them marketing messages. Key things you need to do:

  1. Make sure your staff understand what it means when someone says they don’t want any marketing – opting out of marketing can be by any means: face to face, over the phone, via email, by letter
  2. If you send automated content out, like e-receipts, updated terms and conditions you will need different processes for those who have opted-in and those who are opted-out of your marketing

Unsure what this means to your business? No worries – that’s what the Digital Compliance Hub is all about. Helping businesses get to grips with what they need to do to comply with the GDPR, privacy, marketing and other regulations too. With information and guidance in plain English and a helpline for when you need to ask some questions, specific to your business. Sign up today for a free trial.

More To Explore

Eat. Sleep. GDPR. Repeat.

We live and breathe GDPR and ePrivacy compliance, so you don’t have too. Our GDPR UNLIMITED helpline is all about offering you help and support, whenever you need it most. As well as the unlimited helpline, you get up to 4 hours “hands-on” help each month, which we can configure to help you in anyway you need such as a GDPR review, or acting as your DPO.

As well as the unlimited helpline and hands-on help you get GDPR and privacy updates, access to our GDPR knowledge centre and webinars.

Unlimited email & phone support

Unlimited email and phone support. Email or organise a voice call as often as you need each month.​

Up to 4 hours "hands-on" help per month

We use these "hands-on" hours to do the GDPR work for you, such as reviews, acting as your DPO, checking DPIA, dealing with breaches, training your staff, etc. (Additional hours: £100+VAT per hour)

Online resources

Our Knowledge Centre gives you access to information, guidance, topic related guides and other tools to support your GDPR and PECR compliance

Updates, alerts & briefings

We provide updates and alerts and a monthly compliance briefing. You can either sign into the Knowledge Centre or sign up via email to receive an email every time we add a new update or alert

DPO services

Whether mandated or not we can act as your Data Protection Officer (DPO) and manage your day to day compliance

Webinars, workshops & training

Whether updates on the latest issue, workshops or team training, it's all included in your monthly retainer.

LIKE WHAT YOU'RE READING? join our email list

Sign up for monthly briefings and the occasional emails about our webinars and services

Want to know more about how we use your data? Check out our privacy policy